b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n            Information Technology Management \n \n\n    Letter for the Transportation Security Administration \n \n\n                Component of the FY 2010 DHS \n \n\n                   Financial Statement Audit \n \n\n\n\n\n\nOIG-11-73                                            April 2011\n\x0c                                                            Office ofInspector General\n\n                                                            U.S. Department of Homeland Security\n                                                            Washington, DC 25028\n\n\n\n\n                                                            Homeland\n                                                            Security\n                                   APR 13 2011\n                                             Preface\n\nThe Department of Romeland Security (DRS) Office ofInspector General (OIG) was established\nby the Homeland Security Act of2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe department.\n\nThis report presents the information technology (IT) management letter for the FY 2010\nTransportation Security Administration (TSA) component of the DRS financial statement audit\nas of September 30, 2010. It contains observations and recommendations related to information\ntechnology internal control that were summarized in the Independent Auditors Report dated\n                                                                                    J\n\n\nNovember 12, 2010 and presents the separate restricted distribution report mentioned in that\nreport. The independent accounting firm KPMG LLP (KPMG) performed the audit procedures\nat the TSA component in support of the DRS FY 2010 financial statements and prepared this IT\nmanagement letter. KPMG is responsible for the attached IT management letter dated February\n16,2011, and the conclusions expressed in it. We do not express opinions on DRS\' financial\nstatements or internal control or conclusions on compliance with laws and regulations.\n\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                     kFrink.j!!\n                                          fJ\n\n                                     Assistant Inspector General\n                                     Information Technology Audits\n\x0c                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036-3389\n\n\n\n\nFebruary 16, 2011\n\nInspector General\nU.S. Department of Homeland Security\nChief Information Officer and Chief Financial Officer\nTransportation Security Administration\n\n\nLadies and Gentlemen:\nWe were engaged to audit the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment), as of September 30, 2010, and the related statement of custodial activity for the year\nthen ended (herein after referred to as \xe2\x80\x9cfinancial statements\xe2\x80\x9d). We were also engaged to examine\nthe Department\xe2\x80\x99s internal control over financial reporting of the balance sheet as of September 30,\n2010, and the statement of custodial activity for the year then ended. We were not engaged to audit\nthe statements of net cost, changes in net position, and budgetary resources as of September 30,\n2010 (hereinafter referred to as \xe2\x80\x9cother fiscal year (FY) 2010 financial statements\xe2\x80\x9d), or to examine\ninternal control over financial reporting over the other FY 2010 financial statements.\nBecause of matters discussed in our Independent Auditors\xe2\x80\x99 Report, dated November 12, 2010, the\nscope of our work was not sufficient to enable us to express, and we did not express, an opinion on\nthe financial statements or on the effectiveness of DHS\xe2\x80\x99 internal control over financial reporting of\nthe balance sheet as of September 30, 2010, and related statement of custodial activity for the year\nthen ended. Additional deficiencies in internal control over financial reporting, potentially\nincluding additional material weaknesses and significant deficiencies, may have been identified and\nreported had we been able to perform all procedures necessary to express an opinion on the\nfinancial statements or on the effectiveness of DHS\xe2\x80\x99 internal control over financial reporting of the\nbalance sheet as of September 30, 2010, and related statement of custodial activity for the year then\nended; and had we been engaged to audit the other FY 2010 financial statements, and to examine\ninternal control over financial reporting over the other FY 2010 financial statements.\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent, or detect and\ncorrect misstatements on a timely basis. A significant deficiency is a deficiency, or a combination\nof deficiencies, in internal control that is less severe than a material weakness, yet important enough\nto merit attention by those charged with governance. A material weakness is a deficiency, or a\ncombination of deficiencies, in internal control, such that there is a reasonable possibility that a\nmaterial misstatement of the entity\xe2\x80\x99s financial statements will not be prevented, or detected and\ncorrected on a timely basis.\nThe Transportation Security Administration (TSA) is a component of DHS. During our audit\nengagement, we noted certain matters in the areas of information technology (IT) configuration\nmanagement, access controls, and security management with respect to TSA\xe2\x80\x99s financial systems\ninformation technology (IT) general controls, which we believe are control deficiencies. These\nmatters are described in the IT General Control and Financial System Functionality Findings and\nRecommendations by Audit Area section of this letter.\n\n\n             Information Technology Management Letter for the TSA Component\n                       of the FY 2010 DHS Financial Statement Audit\n                               KPMG LLP is a Delaware limited liability partnership,\n                               the U.S. member firm of KPMG International Cooperative\n                               (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cThe control deficiencies described above are presented in our Independent Auditors\xe2\x80\x99 Report, dated\nNovember 12, 2010. This letter represents the separate limited distribution letter mentioned in that\nreport.\nThe control deficiencies described herein have been discussed with the appropriate members of\nmanagement, and communicated through a Notice of Finding and Recommendation (NFR).\nBecause of its inherent limitations, internal control over financial reporting may not prevent, or\ndetect and correct misstatements. Also, projections of any evaluation of effectiveness to future\nperiods are subject to the risk that controls may become inadequate because of changes in\nconditions, or that the degree of compliance with the policies or procedures may deteriorate. We\naim to use our knowledge of TSA gained during our audit engagement to make comments and\nsuggestions that are intended to improve internal control over financial reporting or result in other\noperating efficiencies. We have not considered internal control since the date of our Independent\nAuditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key TSA financial systems and IT infrastructure within the scope of our engagement\nto audit the FY 2010 DHS financial statements in Appendix A; a description of each internal control\nfinding in Appendix B; the current status of the prior year NFRs in Appendix C; and TSA\nmanagement\xe2\x80\x99s written response in Appendix D. Our comments related to certain additional matters\nhave been presented in a separate letter to the Office of Inspector General and the TSA Chief\nFinancial Officer.\nTSA\xe2\x80\x99s written response to our comments and recommendations has not been subjected to auditing\nprocedures and, accordingly, we express no opinion on it.\nThis communication is intended solely for the information and use of DHS and TSA management,\nDHS Office of Inspector General, OMB, U.S. Government Accountability Office, and the U.S.\nCongress, and is not intended to be and should not be used by anyone other than these specified\nparties.\n\n\nVery truly yours,\n\n\n\n\n             Information Technology Management Letter for the TSA Component\n                       of the FY 2010 DHS Financial Statement Audit\n\x0c                                  Department of Homeland Security \n\n                               Transportation Security Administration \n\n                              Information Technology Management Letter\n                                         September 30, 2010\n\n              INFORMATION TECHNOLOGY MANAGEMENT LETTER\n                                        TABLE OF CONTENTS\n                                                                                                  Page\n\n\nObjective, Scope, and Approach                                                                      1\n \n\n\nSummary of Findings and Recommendations                                                             2\n \n\n\nIT General Controls and Financial System Functionality Findings and \n\n                                                                                                    3\nRecommendations by Audit Area \n\n\n  Related to IT Financial Systems Controls                                                          3\n\n\n       Configuration Management                                                                     3\n\n\n       Access Control                                                                               3\n \n\n\n       Security Management                                                                          3\n\n\n          After-Hours Physical Security Testing                                                     4\n \n\n\n           Social Engineering Testing                                                               4\n \n\n\n   Related to Financial System Functionality                                                        4\n \n\n\nApplication Controls                                                                                6\n \n\n\nManagement Comments and OIG Response                                                                6\n \n\n\n                                             APPENDICES\n \n\nAppendix     Subject                                                                              Page\n \n\n   A\t \t      Description of Key TSA Financial Systems and IT Infrastructure within the Scope of    7\n \n\n             the FY 2010 DHS Financial Statement Audit Engagement \n\n\n   B\t \t      FY 2010 Notices of IT Findings and Recommendations at TSA                             9\n \n\n                 \xef\xbf\xbd Notice of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings \n\n\n   C         Status of Prior Year Notices of Findings and Recommendations and Comparison to        18\n \n\n             Current Year Notices of Findings and Recommendations at TSA\n \n\n\n   D         Management Response                                                                   20\n \n\n\n\n\n\n              Information Technology Management Letter for the TSA Component\n                        of the FY 2010 DHS Financial Statement Audit\n\x0c                                   Department of Homeland Security \n \n\n                                Transportation Security Administration \n \n\n                               Information Technology Management Letter\n                                          September 30, 2010\n\n\n                            OBJECTIVE, SCOPE, AND APPROACH\n\nIn connection with our engagement to audit of DHS\xe2\x80\x99 balance sheet as of September 30, 2010 and the\nrelated statement of custodial activity for the year then ended, we performed an evaluation of information\ntechnology general controls (ITGC) at TSA, to assist in planning and performing our audit. The U.S.\nCoast Guard\xe2\x80\x99s (Coast Guard) Finance Center (FINCEN) hosts key financial applications for TSA. As\nsuch, our audit procedures over IT general controls for TSA included testing of the Coast Guard\xe2\x80\x99s\nFINCEN policies, procedures, and practices, as well as TSA policies, procedures and practices at TSA\nHeadquarters. The Federal Information System Controls Audit Manual (FISCAM), issued by the GAO,\nformed the basis of our ITGC evaluation procedures. The scope of the ITGC evaluation is further\ndescribed in Appendix A.\nThe FISCAM was designed to inform financial auditors about IT controls and related audit concerns to\nassist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial audit. FISCAM also provides guidance to IT auditors when considering the scope and extent of\nreview that generally should be performed when evaluating general controls and the IT environment of a\nfederal agency. FISCAM defines the following five control functions to be essential to the effective\noperation of the general IT controls environment.\n\xef\xbf\xbd\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent the implementation of unauthorized\n   programs or modifications to existing programs.\n\xef\xbf\xbd\t Access control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n   programs, equipment, and facilities) to protect against unauthorized modification, loss, and disclosure.\n\xef\xbf\xbd\t Security management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n\xef\xbf\xbd\t Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to prevent one individual from controlling key aspects of computer-related operations, thus\n   deterring unauthorized actions or access to assets or records.\n\xef\xbf\xbd\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\nTo complement our general IT controls audit, we also performed technical security testing for key\nnetwork and system devices. The technical security testing was performed both over the Internet and\nfrom within select Coast Guard facilities, and focused on test, development, and production devices that\ndirectly support TSA\xe2\x80\x99s financial processing and key general support systems.\nApplication controls were not tested for the year ending September 30, 2010 due to the nature of prior-\nyear audit findings.\n\n\n\n\n                Information Technology Management Letter for the TSA Component \n \n\n                          of the FY 2010 DHS Financial Statement Audit \n \n\n                                            Page 1\n \n\n\x0c                                   Department of Homeland Security \n \n\n                                Transportation Security Administration \n \n\n                               Information Technology Management Letter\n                                          September 30, 2010\n\n                  SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring FY 2010, TSA took corrective action to address prior year IT control deficiencies. For example,\nTSA made improvements in its own policies and procedures over its own configuration management\nmonitoring controls related to the development, implementation, and tracking of scripts at Coast Guard\xe2\x80\x99s\nFINCEN. However, during FY 2010, we continued to identify IT general control deficiencies that impact\nTSA\xe2\x80\x99s financial data. The key issue from a financial statement audit perspective related to controls over\nthe development, implementation, and tracking of scripts at Coast Guard\xe2\x80\x99s FINCEN. Collectively, these\ndeficiencies negatively impacted the internal controls over TSA\xe2\x80\x99s financial reporting and its operation. In\naddition, based upon the results of our test work, we noted that TSA did not fully comply with the\nDepartment\xe2\x80\x99s requirements of the Federal Financial Management Improvement Act (FFMIA).\nOf the four findings issued during our TSA FY 2010 testing, three were repeated findings and one was a\nnew IT finding. These findings represent deficiencies in three of the five FISCAM key control areas.\nSpecifically the deficiencies were: 1) unverified access controls through the lack of comprehensive user\naccess privilege re-certifications, 2) security management issues involving the terminated employee\nprocess, and 3) physical security and security awareness issues.\nIn addition, we determined that the following deficiencies identified at the Coast Guard IT environment\nalso impact TSA financial data: 1) inadequately designed and operating IT script change control policies\nand procedures, 2) security management issues involving civilian and contractor background\ninvestigations, 3) lack of consistent contractor, civilian, and military system account termination\nnotification process, 4) physical security and security awareness issues, and 5) procedures for role-based\ntraining for individuals with elevated responsibilities not fully implemented. We also considered the\neffects of financial systems functionality when testing internal controls since key Coast Guard financial\nsystems that house TSA financial data are not compliant with FFMIA and are no longer supported by the\noriginal software provider. Financial system functionality limitations add to the challenge of addressing\nsystemic internal control deficiencies, and strengthening the control environment at FINCEN.\nThese deficiencies may increase the risk that the confidentiality, integrity, and availability of system\ncontrols and TSA financial data could be exploited thereby compromising the integrity of financial data\nused by management and reported in TSA\xe2\x80\x99s financial statements.\nWhile the recommendations made by us should be considered by TSA, it is the ultimate responsibility of\nTSA management to determine the most appropriate method(s) for addressing the deficiencies identified\nbased on their system capabilities and available resources.\n\n\n\n\n                Information Technology Management Letter for the TSA Component \n \n\n                          of the FY 2010 DHS Financial Statement Audit \n \n\n                                            Page 2\n \n\n\x0c                                    Department of Homeland Security \n \n\n                                 Transportation Security Administration \n \n\n                                Information Technology Management Letter\n                                           September 30, 2010\n\n\n       IT GENERAL CONTROLS AND FINANCIAL SYSTEM FUNCTIONALITY \n \n\n             FINDINGS AND RECOMMENDATIONS BY AUDIT AREA \n \n\n\nFindings:\nDuring the FY 2010 DHS Financial Statement Audit, we identified the following TSA IT and financial\nsystem control deficiencies that in the aggregate are considered management letter comments. Our\nfindings are divided into two groupings: 1) financial systems controls and 2) IT system functionality.\n\nRelated to IT Financial Systems Controls:\n\nConfiguration Management\nThe Coast Guard\xe2\x80\x99s core financial system configuration management process controls are not operating\neffectively, and continue to present risks to TSA financial data confidentiality, integrity, and availability.\nFinancial data in the general ledger may be compromised by automated and manual changes that are not\nadequately controlled. For example, the Coast Guard uses an IT scripting process to make updates, as\nnecessary, to its core general ledger software to process financial data. We noted that some previously\nnoted weaknesses were remediated (particularly in the second half of FY 2010), while other control\ndeficiencies continued to exist. The remaining control deficiencies vary in significance; however three\nkey areas that impact the Coast Guard IT Script control environment are: 1) Script Testing Requirements,\n2) Script Testing Environment, and 3) Script Audit Logging Process.\n1)\t Script Testing Requirements: Limited testing requirements exist to guide FINCEN staff in the\n    development of test plans and guidance over the functional testing that should be performed.\n2)\t Script Testing Environment: Not all script changes were tested in the appropriate test environments.\n3)\t Script Audit Logging Process: FINCEN\xe2\x80\x99s core system databases are logging changes to tables as\n    well as successful and unsuccessful logins. However, no reconciliation between the scripts run and\n    the changes made to the database tables is being performed to monitor the script activities and ensure\n    that all scripts run have been approved.\nIn addition, we noted weaknesses in the script change management process at the USCG as it relates to\nthe Internal Control over Financial Reporting (ICOFR) process (e.g., the financial statement impact of the\nchanges to FINCEN core accounting system through the script change management process).\n\nAccess Control\n\xef\xbf\xbd\t Access review procedures for key financial applications do not include the review of all user accounts\n   to ensure that all terminated individuals no longer have active accounts; inactive accounts are locked;\n   and privileges associated with each individual are still authorized and necessary.\n\nSecurity Management\n\xef\xbf\xbd\t The computer access agreement and exit clearance procedures for TSA employees have not been\n   consistently implemented; and\n\n\n                 Information Technology Management Letter for the TSA Component \n \n\n                           of the FY 2010 DHS Financial Statement Audit \n \n\n                                             Page 3\n \n\n\x0c                                   Department of Homeland Security \n \n\n                                Transportation Security Administration \n \n\n                               Information Technology Management Letter\n                                          September 30, 2010\n\n\xef\xbf\xbd\t During our after-hours physical security and social engineering testing we identified exceptions in the\n   protection of sensitive user account information. The tables below detail the exceptions identified at\n   the locations tested.\n\nAfter-Hours Physical Security Testing:\nWe performed after-hours physical security testing to identify risks related to non-technical aspects of IT\nsecurity. These non-technical IT security aspects include physical access to media and equipment that\nhouses financial data and information residing on a TSA employee\xe2\x80\x99s / contractor\xe2\x80\x99s desk, which could be\nused by others to gain unauthorized access to systems housing financial information. The testing was\nperformed at TSA Headquarters.\n\n                Exceptions Noted                                Total Exceptions at TSA\n                                                                      HQ by Type\n                Passwords                                                  0\n                For Official Use Only (FOUO)                               0\n                Keys/Badges                                                0\n                Personally Identifiable Information (PII)                  0\n                Server Names/IP Addresses                                  0\n                Unsecured Laptop                                           1\n                External Drives                                            0\n                Credit Cards                                               0\n                Classified Documents                                       0\n                Other \xe2\x80\x93US government official passport                     0\n                Total Exceptions at TSA HQ                                 1\n\nSocial Engineering Testing:\nSocial engineering is defined as the act of attempting to manipulate or deceive individuals into taking\naction that is inconsistent with DHS policies, such as divulging sensitive information or allowing /\nenabling computer system access. The term typically applies to trickery or deception for the purpose of\ninformation gathering, or gaining computer system access.\n\n         Total Called      Total Answered Number of people who provided a password\n               45                 10      3 People Provided Their Passwords\n\n\nRelated to Financial System Functionality:\nWe noted that financial system functionality limitations are contributing to control deficiencies reported\nherein, and inhibiting progress on corrective actions impacting TSA. These functionality limitations are\npreventing the TSA from improving the efficiency and reliability of its financial reporting processes.\nSome of the financial system limitations lead to extensive manual and redundant procedures to process\ntransactions, verify accuracy of data, and to prepare financial statements. Systemic conditions related to\nfinancial system functionality include:\n\n                Information Technology Management Letter for the TSA Component \n \n\n                          of the FY 2010 DHS Financial Statement Audit \n \n\n                                            Page 4\n \n\n\x0c                                   Department of Homeland Security \n \n\n                                Transportation Security Administration \n \n\n                               Information Technology Management Letter\n                                          September 30, 2010\n\n\xef\xbf\xbd\t As noted above, Coast Guard\xe2\x80\x99s core financial system configuration management process is not\n   operating effectively due to inadequate controls over the IT script process. The IT script process was\n   instituted as a solution primarily to compensate for system functionality and data quality issues;\n\xef\xbf\xbd\t Production versions of operational financial systems are outdated, no longer supported by the vendor,\n   and do not provide the necessary core functional capabilities (e.g., general ledger capabilities); and\n\xef\xbf\xbd\t Issues with current technology are preventing TSA management from reviewing account\n   recertification reports timely.\n\nRecommendations:\n\nWe recommend that TSA:\n\xef\xbf\xbd\t Conduct an assessment over the ICFOR process related to identifying and evaluating scripts that have\n   a financial statement impact, in coordination with USCG. This assessment can be included in the\n   testing of the TSA Script Configuration Management Oversight Process as part of TSA\xe2\x80\x99s annual\n   OMB Circular A-123 efforts. Further, we recommend that this assessment (1) be performed early in\n   FY 2011, in time to remediate deficiencies before the end of the third quarter, and (2) involve process\n   documentation and sufficient testing to fully assess both design and operating effectiveness of\n   controls.\n\n\xef\xbf\xbd\t Have FINCEN update its helpdesk procedures to provide the correct guidelines so that its helpdesk\n   staff will no longer grant additional Standard Financial Procurement Desktop roles that were not\n   requested via the Automated Access Request (AAR) process. TSA should closely monitor the\n   requests implemented by FINCEN to ensure that the updated procedures are being followed.\n\xef\xbf\xbd\t Improve the timeline and process of its quarterly review. TSA should update its procedures to\n   monitor the timeliness, accuracy and quality of the quality review process.\n        -   Update quarterly review Internal Standard Operating Procedure to add the expected timeline\n            to complete the quarterly review.\n        -   Conduct timely follow-up and review of the actual FINCEN implementation of the AARs to\n            ensure that the AARs were implemented as requested.\n\xef\xbf\xbd\t Work with FINCEN to identify and implement the best solution to remove the one Sunflower role\n   from the user\xe2\x80\x99s profile.\n\xef\xbf\xbd\t Work with FINCEN to research and identify options to enhance the automated AAR process.\n\xef\xbf\xbd\t Provide more training and oversight for any new access manager to ensure the process is thoroughly\n   followed.\n\xef\xbf\xbd\t Closely monitor and follow-up with FINCEN to ensure requests are implemented timely and\n   correctly.\n\xef\xbf\xbd\t Review and identify alternate reporting processes in cases of technical difficulties where supervisors\n   cannot access the master files on SharePoint.\n\n\n\n                Information Technology Management Letter for the TSA Component \n \n\n                          of the FY 2010 DHS Financial Statement Audit \n \n\n                                            Page 5\n \n\n\x0c                                  Department of Homeland Security \n \n\n                               Transportation Security Administration \n \n\n                              Information Technology Management Letter\n                                         September 30, 2010\n\n\xef\xbf\xbd\t Supervisors and Contracting Officer\xe2\x80\x99s Technical Representatives within each program office in TSA\n   should ensure that each TSA employee and contractor have on file a signed Computer Access\n   Agreement form, prior to any financial system access being granted.\n\n\xef\xbf\xbd\t Continue to execute the IT Security Awareness Training program.\n\n\xef\xbf\xbd\t Conduct an internal Physical Security walkthrough on a bi-annual basis.\n\n\xef\xbf\xbd\t Conduct one-on-one training with individuals failing physical security after-hours testing.\n\n\xef\xbf\xbd\t Conduct a communications campaign to address the effects of improper handling of Physical\n   Security.\n\n\xef\xbf\xbd\t Conduct internal Social Engineering testing on a quarterly basis.\n\n\xef\xbf\xbd\t Conduct one-on-one training with individuals failing social engineering attempts.\n\n\xef\xbf\xbd\t Conduct a communications campaign via broadcast warning against social engineering.\n\n\n                                   APPLICATION CONTROLS\n\nApplication controls were not tested for the year ending September 30, 2010, due to the nature of the\nprior-year audit findings.\n\n\n                    MANAGEMENT COMMENTS AND OIG RESPONSE\n\nWe obtained written comments on a draft of this report from TSA\xe2\x80\x99s Chief Financial Officer and Chief\nInformation Officer. Generally, TSA management agreed with our findings and recommendations. TSA\nmanagement has developed a remediation plan to address these findings and recommendations. We have\nincluded a copy of the comments in Appendix D.\n\nOIG Response\n\nWe agree with the steps that TSA management is taking to satisfy these recommendations.\n\n\n\n\n                Information Technology Management Letter for the TSA Component \n \n\n                          of the FY 2010 DHS Financial Statement Audit \n \n\n                                            Page 6\n \n\n\x0c                                                                                  Appendix A\n                              Department of Homeland Security \n \n\n                           Transportation Security Administration \n \n\n                          Information Technology Management Letter\n                                     September 30, 2010\n\n\n\n\n                                        Appendix A\n\nDescription of Key TSA Financial Systems and IT Infrastructure within the Scope of the FY\n                    2010 DHS Financial Statement Audit Engagement\n\n\n\n\n             Information Technology Management Letter for the TSA Component \n \n\n                       of the FY 2010 DHS Financial Statement Audit \n \n\n                                         Page 7\n \n\n\x0c                                                                                                 Appendix A\n                                  Department of Homeland Security \n \n\n                               Transportation Security Administration \n \n\n                              Information Technology Management Letter\n                                         September 30, 2010\n\nBelow is a description of significant TSA financial management systems and supporting IT infrastructure\nincluded in the scope of the engagement to perform the financial statement audit.\nLocations of Audit: TSA Headquarters in Washington, D.C. and the Coast Guard FINCEN in Chesapeake,\nVirginia. TSA\xe2\x80\x99s financial applications are hosted on the Coast Guard\xe2\x80\x99s IT platforms.\nKey Systems Subject to Audit:\n\xef\xbf\xbd\t Core Accounting System (CAS): Core accounting system that is the principal general ledger for\n   recording financial transactions for TSA. CAS is hosted at FINCEN, the Coast Guard\xe2\x80\x99s primary data\n   center. It is a customized version of Oracle Financials.\n\xef\xbf\xbd\t Financial Procurement Desktop (FPD): Used to create and post obligations to the core accounting\n   system. It allows users to enter funding, create purchase requests, issue procurement documents,\n   perform system administration responsibilities, and reconcile weekly program element status reports.\n   FPD is interconnected with the CAS system and is hosted at FINCEN.\n\xef\xbf\xbd\t Sunflower: Sunflower is a customized third party commercial off the shelf product hosted at FINCEN\n   and used for TSA and Federal Air Marshals property management. Sunflower interacts directly with the\n   financial accounting (FA) module in CAS. Additionally, Sunflower is interconnected to the FPD\n   system.\n\xef\xbf\xbd\t MarkView: MarkView is an imaging and workflow software used to manage invoices in CAS. Each\n   invoice is stored electronically and associated to a business transaction so that users are able to see the\n   image of the invoice. MarkView is interconnected with the CAS system and is located at the FINCEN in\n   Chesapeake, VA and is managed by the United States Coast Guard.\n\n\n\n\n               Information Technology Management Letter for the TSA Component \n \n\n                         of the FY 2010 DHS Financial Statement Audit \n \n\n                                           Page 8\n \n\n\x0c                                                                     Appendix B\n                Department of Homeland Security \n \n\n             Transportation Security Administration \n \n\n            Information Technology Management Letter\n                       September 30, 2010\n\n\n\n\n                          Appendix B \n \n\n\nFY 2010 Notice of IT Findings and Recommendations at the TSA \n \n\n\n\n\n\nInformation Technology Management Letter for the TSA Component \n \n\n          of the FY 2010 DHS Financial Statement Audit \n \n\n                            Page 9\n \n\n\x0c                                                                                                 Appendix B\n                                     Department of Homeland Security \n \n\n                                  Transportation Security Administration \n \n\n                                 Information Technology Management Letter\n                                            September 30, 2010\n\n\n\n\nNotice of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the DHS\nConsolidated Independent Auditors\xe2\x80\x99 Report.\n\n      1 \xe2\x80\x93 Not substantial \n \n\n      2 \xe2\x80\x93 Less significant \n \n\n      3 \xe2\x80\x93 More significant \n \n\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of severity for\nconsolidated reporting purposes.\n\nThese rating are provided only to assist TSA in the development of its corrective action plans for\nremediation of the deficiency.\n\n\n\n\n               Information Technology Management Letter for the TSA Component \n \n\n                         of the FY 2010 DHS Financial Statement Audit \n \n\n                                           Page 10\n \n\n\x0c                                                                                                                                        Appendix B\n                                                   Department of Homeland Security \n \n\n                                                Transportation Security Administration \n \n\n                                               Information Technology Management Letter\n                                                          September 30, 2010\n\n                                    Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n NFR                                                                                                                            New       Repeat     Severity\n                                   Condition                                              Recommendation\n No.                                                                                                                            Issue      Issue      Rating\nTSA-IT\xc2\xad   To complement our IT audit testing efforts as part of the         We recommend TSA in the area of physical                        X           1\n 10-01    FY2010 DHS Integrated Audit, we also performed social             Security to:\n          engineering and after hours physical security testing During\n          our testing we identified the following                           1) Continue to execute the          IT   Security\n                                                                               Awareness Training program;\n          During our after-hours physical security testing, we identified\n          one instance of an unsecured laptop computer;                     2) Conduct an internal Physical          Security\n                                                                               walkthrough on a bi-annual basis;\n          During our social engineering testing, we were provided with\n          three user\xe2\x80\x99s passwords.                                           3) Conduct one-on-one training with individuals\n                                                                               failing physical security after-hours testing;\n\n                                                                            4) Take administrative actions, if needed, on a\n                                                                               case-by-case basis; and\n\n                                                                            5) Conduct a communications campaign to\n                                                                               address the effects of improper handling of\n                                                                               Physical Security.\n\n                                                                            We recommend TSA in the area of social\n                                                                            engineering to:\n\n                                                                            1) Continue to execute the          IT   Security\n                                                                               Awareness Training program;\n\n                                                                            2) Conduct internal Social Engineering testing\n                                                                               on a quarterly basis;\n\n                                                                            3) Conduct one-on-one training with individuals\n                                                                               failing social engineering attempts.\n\n                              Information Technology Management Letter for the TSA Component \n \n\n                                        of the FY 2010 DHS Financial Statement Audit \n \n\n                                                          Page 11\n \n\n\x0c                                                                                                                                       Appendix B\n                                                  Department of Homeland Security \n \n\n                                               Transportation Security Administration \n \n\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\n NFR                                                                                                                           New       Repeat     Severity\n                                   Condition                                             Recommendation\n No.                                                                                                                           Issue      Issue      Rating\n                                                                           4) Conduct a communications campaign via\n                                                                              broadcast warning against social engineering.\n\nTSA-IT\xc2\xad   Core Accounting System (CAS) & Financial Procurement             We recommend TSA to take the following                          X           2\n 10-02    Desktop (FPD)                                                    corrective actions:\n          During our FY 2010 IT test work, we determined that TSA\n          had created an Internal Standard Operating Procedure (ISOP)\n                                                                           CAS/FPD:\n          to detail how quarterly access reviews were to be performed.\n          We compared a listing of TSA, CAS, and FPD users to the          1) Have FINCEN update its helpdesk procedures\n          master listing of users who needed modifications or deletions       to provide the correct guidelines so that its\n          for three quarters (Q1, Q2, and Q3). We did not identify any        helpdesk staff will no longer grant additional\n          exceptions for Q1 and Q2; however, for the 3rd quarter, one         Standard FPD roles that were not requested on\n          CAS user was not deleted or modified within 50 days after the       AAR. TSA should closely monitor the\n          end of the completion of the 3rd quarter. In addition, we           requests implemented by FINCEN to ensure\n          noted 115 FPD users were not deleted or modified within 51          that the updated procedures are being\n          days after the completion of the 3rd quarter.                       followed.\n\n          Sunflower                                                        2) Improve the timeline and process of its\n          During our FY 2010 test work, we determined that the Office         Quarterly Review. TSA should update its\n          of Property Management (OPM) performs monthly access                procedures to monitor the timeliness, accuracy\n          reviews over Sunflower user accounts. OPM runs three                and quality of the Quality Review process.\n          Sunflower reports each month, and the Deputy Property                    a. Update Quarterly Review ISOP to\n          Management Officials (DPMOs) and OPM Access Manager                         add the expected timeline to complete\n          review the reports and provide dates and initials by each user              the quarterly review.\n          reviewed. However, for the three months sampled, we                      b. Conduct timely follow-up and review\n          determined that three Sunflower users, who had update                       of the actual FINCEN\n          privileges, had not had their access removed in a timely                    implementation of the AARs to\n          manner. All users were reviewed in January, but two were                    ensure that the AARs were\n          not removed until July, and the other user was not removed                  implemented as requested.\n          until August.\n                                                                           3) Work with FINCEN to identify and\n                                                                              implement the best solution to remove the one\n                                                                              Sunflower role from the user\xe2\x80\x99s profile.\n\n                              Information Technology Management Letter for the TSA Component \n \n\n                                        of the FY 2010 DHS Financial Statement Audit \n \n\n                                                          Page 12\n \n\n\x0c                                                                                                                                      Appendix B\n                                                  Department of Homeland Security \n\n                                               Transportation Security Administration \n\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\n NFR                                                                                                                          New       Repeat     Severity\n                                  Condition                                              Recommendation\n No.                                                                                                                          Issue      Issue      Rating\n\n                                                                          4) Work with FINCEN to research and identify\n                                                                             options to enhance the automated AAR\n                                                                             process.\n\n                                                                          Sunflower:\n                                                                          1) Provide more training and oversight for any\n                                                                              new access manager to ensure the process is\n                                                                              thoroughly followed.\n\n                                                                          2) Closely monitor and follow-up with FINCEN\n                                                                             to ensure requests are implemented timely and\n                                                                             correctly.\n\n                                                                          3) Review and identify alternate reporting\n                                                                             processes in cases of technical difficulties\n                                                                             where supervisors cannot access the master\n                                                                             files on SharePoint.\n\nTSA-IT\xc2\xad   During our FY 2010 audit test work, we selected a sample of     We recommend that TSA take the following                        X           1\n 10-03    the following forms required by the TSA directive and           corrective action:\n          determined the following:\n                                                                          Supervisors and Contracting Officer\xe2\x80\x99s Technical\n          \xef\xbf\xbd    Form 1403 Computer Access Agreement: Per the TSA           Representatives within each program office in\n               IT Security Policy Handbook, all TSA personnel,            TSA should ensure, as required by the IT Security\n               including contractors, are required to review and sign     Policy Handbook, that evidence be maintained on\n               Form 1403: Computer Access Agreement upon                  file for each TSA employee and contractor the\n               commencement of working for the agency. Our testing        Computer Access Agreement form, signed prior to\n               noted that of the five forms sampled, one form was         any financial system access is granted.\n               completed one month after the user was granted access to\n               a TSA system.\nTSA-IT\xc2\xad   During the FY 2010 IT audit, we determined that TSA has         We recommend that TSA work with the DHS              X                      2\n 10-04    fully implemented the TSA ISOP: Process for Validation of       Chief Financial Officer and the DHS Chief\n                              Information Technology Management Letter for the TSA Component \n\n                                        of the FY 2010 DHS Financial Statement Audit \n\n                                                          Page 13\n \n\n\x0c                                                                                                                                    Appendix B\n                                               Department of Homeland Security \n \n\n                                            Transportation Security Administration \n \n\n                                           Information Technology Management Letter\n                                                      September 30, 2010\n\nNFR                                                                                                                         New       Repeat     Severity\n                               Condition                                              Recommendation\nNo.                                                                                                                         Issue      Issue      Rating\n      Controls over the USCG Script Process to monitor scripts run     Information Officer to ensure that Coast Guard\n      at FINCEN.                                                       Headquarters\' completes, in a timely manner, the\n                                                                       planned corrective actions to:\n      Specifically, we noted that TSA has implemented an\n      extensive review of the scripts that impact TSA on a weekly,     1) Update the scripting policies and procedures\n      monthly, quarterly and ad hoc basis. Additionally, a baseline       to include additional and more detailed test\n      review was performed to ensure that all scripts that were run       documentation;\n      in production prior to 4/1/2010. Approximately 160 scripts\n      were reviewed for their purpose and the financial impact of      2) Develop training that addresses all aspects of\n      the scripts were understood by the various stakeholders in the      script testing (including documentation of test\n      script review process, which included the Script Technical          documents) and provide training to\n      Lead, Script Module Leads (SMLs), and Subject Matter                appropriate CM staff;\n      Experts (SMEs). Any script that was not included in the\n      baseline review was considered new and was included in the       3) Develop a resource plan (RP) with associated\n      weekly, monthly, quarterly and ad hoc review process. The           supporting business case(s) to address the\n      reviews conducted by TSA included validation and                    database audit logging requirements;\n      verification steps to ensure that the Coast Guard is properly\n      tracking the TSA scripts and that those scripts go through the   4) Develop procedures and perform regular\n      proper configuration management processes.                          account revalidation for Serena to ensure\n                                                                          privileges remain appropriate; and\n      We noted no exceptions during our testing of the TSA Script\n      Configuration Management (CM) Oversight Process.                 5) Conduct an assessment over the ICOFR\n                                                                          process related to identifying and evaluating\n      Configuration Management Controls Over the Coast Guard              scripts that have a financial statement impact.\n      Scripting Process                                                   This assessment can be included in the\n                                                                          Configuration Management Oversight Process\n      The analysis conducted over the Coast Guard script                  as part of Coast Guard\xe2\x80\x99s annual A-123 efforts\n      configuration management process reflects the assessment of         or performed independent of the A-123\n      the control environment for the entire fiscal year.                 process. We recommend that this assessment\n      Weaknesses identified over the process are risks that existed       (1) be performed early in the FY 2011, in time\n      in the environment from October 2009 to September 2010              to remediate deficiencies before the end of the\n      unless otherwise noted.                                             third quarter, and (2) involve process\n                                                                          documentation and sufficient testing to fully\n                          Information Technology Management Letter for the TSA Component \n \n\n                                    of the FY 2010 DHS Financial Statement Audit \n \n\n                                                      Page 14\n \n\n\x0c                                                                                                                                         Appendix B\n                                                Department of Homeland Security \n \n\n                                             Transportation Security Administration \n \n\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\nNFR                                                                                                                              New       Repeat     Severity\n                                Condition                                               Recommendation\nNo.                                                                                                                              Issue      Issue      Rating\n                                                                             third quarter, and (2) involve process\n      1.   Based upon follow-up test work performed in FY 2010,\n                                                                             documentation and sufficient testing to fully\n           we determined that some previously noted weaknesses\n                                                                             assess both design and operating effectiveness\n           were remediated (particularly in the second half of FY\n                                                                             of controls. The objective is to have a reliable\n           2010), while other control deficiencies continued to exist.\n                                                                             process and internal controls in place that\n           The remaining control deficiencies that were present\n                                                                             allow the auditor to test, and rely on those\n           throughout FY 2010 vary in significance; however three\n                                                                             controls, during the fourth quarter of FY 2011.\n           key areas that impact the Coast Guard Script control\n           environment are: 1) Script Testing Requirements, 2)\n                                                                         TSA Specific Recommendation:\n           Script Testing Environment, and 3) Script Audit Logging\n           Process.                                                      Continue to conduct an assessment over the\n                                                                         ICFOR process related to identifying and\n                                                                         evaluating scripts that have a financial statement\n               a.   Script Testing Requirements: Limited testing         impact. Findings should be communicated and\n                    requirements exist to guide FINCEN staff in the      coordinated with USCG, as appropriate. This\n                    development of test plans and guidance over the      assessment can be included in the testing of the\n                    functional testing that should be performed.         TSA Script Configuration Management Oversight\n                    Additionally, we determined that there are no        Process as part of TSA\xe2\x80\x99s annual A-123 efforts.\n                    detailed requirements over the review and            Further, we recommend that this assessment (1) be\n                    testing of functional changes to the data.           performed early in the FY 2011, in time to\n                    FINCEN only tracks and documents the number          remediate deficiencies before the end of the third\n                    of transactions updated on scripts that have a       quarter, and (2) involve process documentation\n                    financial impact and not the detailed dollar         and sufficient testing to fully assess both design\n                    amounts associated with the financial impact         and operating effectiveness of controls. The\n                    transactions.                                        objective is to have a reliable process and internal\n                                                                         controls in place that allow the auditor to test, and\n               b.   Script Testing Environment: Not all script\n                                                                         rely on those controls, during the fourth quarter of\n                    changes were tested in the appropriate CAS\n                                                                         FY 2011.\n                    Suite test environments as required. FINCEN\n                    management informed us that the testing\n                    environments, CAS4 and LUFSFQT3, were\n                    offline for these exceptions due to a refresh of\n                    the databases and that testers used CAS3 and\n                    Alpha as alternate testing environments instead.\n                           Information Technology Management Letter for the TSA Component \n \n\n                                     of the FY 2010 DHS Financial Statement Audit \n \n\n                                                       Page 15\n \n\n\x0c                                                                                                       Appendix B\n                                              Department of Homeland Security \n \n\n                                           Transportation Security Administration \n \n\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\nNFR                                                                                            New       Repeat     Severity\n                               Condition                                      Recommendation\nNo.                                                                                            Issue      Issue      Rating\n                   However, FINCEN management informed\n                   KPMG that these environments are refreshed on\n                   an as needed basis and no further information\n                   could be provided on how frequently the CAS3\n                   and Alpha databases were refreshed to verify\n                   that the scripts were adequately tested in the\n                   appropriate environment. Furthermore, we\n                   determined that guidance is not provided over\n                   the use of alternate testing environments for the\n                   testing of scripts to ensure they are adequately\n                   tested.\n              c.   Script Audit Logging Process: The CAS, FPD,\n                   and Sunflower databases are logging changes to\n                   tables as well as successful and unsuccessful\n                   logins. However, no reconciliation between the\n                   scripts run and the changes made to the database\n                   tables is being performed to monitor the script\n                   activities and ensure that all scripts run have\n                   been approved through CMSS or Serena. In\n                   addition, we noted that FINCEN has not\n                   established a formal process to monitor and\n                   review changes made to the Sunflower database\n                   including the tables and activities modified by\n                   the database administrators.\n\n\n\n      Internal Control Over Financial Reporting \xe2\x80\x93 Financial\n      Statement Impact.\n      The USCG has established certain processes to identify and\n      assess the validity of scripts that may have a financial\n      statement impact [on both USCG and TSA financial\n\n                          Information Technology Management Letter for the TSA Component \n \n\n                                    of the FY 2010 DHS Financial Statement Audit \n \n\n                                                      Page 16\n \n\n\x0c                                                                                                        Appendix B\n                                               Department of Homeland Security \n \n\n                                            Transportation Security Administration \n \n\n                                           Information Technology Management Letter\n                                                      September 30, 2010\n\nNFR                                                                                             New       Repeat     Severity\n                               Condition                                       Recommendation\nNo.                                                                                             Issue      Issue      Rating\n      statements]. This process is performed by one primary\n      individual, and two identified backup personnel, who perform\n      a review of the script for accuracy and propriety, provides\n      feedback to the source, and ultimately approves the\n      application. This process has certain control deficiencies that\n      have been communicated to USCG (see NFR # CG-IT-10\xc2\xad\n      05), which have led, in part, to TSA\xe2\x80\x99s adoption of certain\n      redundant controls to review TSA scripts for propriety.\n      Furthermore, the rationale documenting the impact of the\n      script, whether deemed as having financial impact or not, is\n      not documented and retained. In addition, within the CAS\n      Suite environment, there are over 200 scripts run on a weekly\n      basis. During FY 2010, through this review TSA has\n      discovered various errors that USCG was required to correct.\n      The exceptions noted by TSA are indicative of weaknesses in\n      the USCG process.\n      We also consider this control aspect to be principally\n      important for TSA to monitor Coast Guard\xe2\x80\x99s corrective\n      actions taken. In addition, TSA should consider, as part of\n      their annual A-123 efforts, adding their own A-123 testing\n      procedures in identifying and evaluating the financial impact\n      of TSA scripting at the Coast Guard.\n\n\n\n\n                           Information Technology Management Letter for the TSA Component \n \n\n                                     of the FY 2010 DHS Financial Statement Audit \n \n\n                                                       Page 17\n \n\n\x0c                                                                                    Appendix C\n                               Department of Homeland Security \n \n\n                            Transportation Security Administration \n \n\n                           Information Technology Management Letter\n                                      September 30, 2010\n\n\n\n\n                                         Appendix C \n \n\n\n    Status of Prior Year Notices of Findings and Recommendations and Comparison to\n \n\n              Current Year Notices of Findings and Recommendations at TSA\n \n\n\n\n\n\nInformation Technology Management Letter for the TSA Component of the FY 2010 DHS Financial \n \n\n                                     Statement Audit \n \n\n                                           Page 18 \n \n\n\x0c                                                                                                Appendix C\n                                Department of Homeland Security\n                             Transportation Security Administration\n                            Information Technology Management Letter\n                                       September 30, 2010\n\n\n\n                                                                                          Disposition\n\n  NFR No.                                 Description                               Closed       Repeat\n                                                                                               TSA-IT-10\xc2\xad\nTSA-IT-10-20    TSA Computer Access Agreement Process\n                                                                                                  03\n                Configuration Management Controls Over the Coast Guard Scripting\n                                                                                      X\nTSA-IT-10-23    Process (Included a specific TSA condition)\n                Physical Security and Security Awareness Issues Identified during              TSA-IT-10\xc2\xad\nTSA-IT-10-28    Enhanced Security Testing                                                         01\n                Core Accounting System, Financial Procurement Desktop , and                    TSA-IT-10\xc2\xad\nTSA-IT-10-29    Sunflower Access Recertifications                                                 02\n\n\n\n\nInformation Technology Management Letter for the TSA Component of the FY 2010 DHS Financial \n \n\n                                     Statement Audit \n \n\n                                              Page 19 \n \n\n\x0c                                                                                                                              Appendix D\n                                       Department of Homeland Security \n \n\n                                    Transportation Security Administration \n \n\n                                   Information Technology Management Letter\n                                              September 30, 2010\n\n\n\n\n                                                                                      O/TICW\'" 1\'7......,."     lfislrtlti_\n                                                                                      6411 s....IlI~ S.I\'Mt. TSA_14\n                                                                                      " rli.X\'o., V" 105711-6014\n                                                                                      W....i......... DC 2tS28\n\n                                                                                      Transportation\n                                                                                      Secur1ty\n                                                                                      Administration\n\n        MEMORANDUM FOR;                  "\'rank Deffer\n                                         Assistant Ins~tor Oenernl, Infonnation Technology Audits\n                                         Department of Homeland Security\n                                                                                                                                      Ir\n                                         Office of Inspector G~nernl\n                                         245 Murray Lane, SW\n                                         Building 410\n                                         Washington, DC 20528\n                                         <l. 9.       A   31~_ ~ ",/~/""\n        FROM:                           \'Dr. Jrmmaeim\'tOO-Alexandcr\n                                         Chief Information OfTIecr\n                                         Transportation Se<:urity Administration\n\n                                         DaVidNicho~.//.~/(\n                                         Chief Financial Offiee1\n                                         Oflke of Finance and Adminislnl.tion\n\n        SUI3JECf:                        Response - Drafl &port: Injon\',ation Techllo/ogy Mwtagtnlent Leiterfor\n                                         the TransportUlion Sec",il)\' Administration COmpo1U!.nt ofthe FY 2010 DRS\n                                         Financial Slaten/f!JIt Audit\n\n        Dear Me. Deffer:\n\n        Thank you for the oppol\'tunity to comment on the Draft Report: IllformatiOll Technology MllIlagen/ent leiter\n        for the Tronspor/alion Securil)\' Adminislration COn/ponenl (iflhe FY 2010 DHS Financial Sialement Audil.\n        TSA has reviewed the Mnnagement I....,tter and conlimled the conditions and recommendations are consistent\n         with NFRs received in tho FY 2010 audit. We are in the process of implementing the recommendations and\n         have no chllnges to the draft report. Again, TSA appreciates the opportunity to review the report, and we look\n        forward to working with your team during the upcoming FY 20 I I Financial Stntement Audit.\n\n\n\n\n        File: 1OO0.2.1-a\n\n\n\n\nInformation Technology Management Letter for the TSA Component of the FY 2010 DHS Financial \n \n\n                                     Statement Audit \n \n\n                                                          Page 20 \n \n\n\x0c                              Department of Homeland Security \n \n\n                            Transportation Security Administration\n \n\n                       Information Technology Management Letter\n                                      September 30, 2010\n\n\n                   Report Distribution\n\n                   Department of Homeland Security\n\n                   Secretary\n                   Deputy Secretary\n                   General Counsel\n                   Chief of Staff\n                   Deputy Chief of Staff\n                   Executive Secretariat\n                   Under Secretary, Management\n                   Administrator, TSA\n                   DHS Chief Information Officer\n                   DHS Chief Financial Officer\n                   Chief Financial Officer, TSA\n                   Chief Information Officer, TSA\n                   Chief Information Security Officer\n                   Assistant Secretary for Office of Policy\n                   Assistant Secretary for Office of Public Affairs\n                   Assistant Secretary for Office of Legislative Affairs\n                   DHS GAO OIG Audit Liaison\n                   Chief Information Officer, Audit Liaison\n                   TSA Audit Liaison\n\n                   Office of Management and Budget\n\n                   Chief, Homeland Security Branch\n                   DHS OIG Budget Examiner\n\n                   Congress\n\n                   Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nInformation Technology Management Letter for the TSA Component of the FY 2010 DHS Financial\n                                     Statement Audit\n                                           Page 21\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'